|
It seem's to me that's quite trivial for an end user of wabfaced application to recognize the WFLogon servlet parameter clcmd and I find myself trying URL like: http://myserver/myappl/WFLogon?clcmd=CRTPF+FILE(MYLIB/MYFILE)+RCDLEN(120) or http://myserver/myappl/WFLogon?clcmd=DLTF+FILE(MYLIB\MYFILE) and they, not surprising, WORKS! Oh yes, I con use invocation files to obfuscate the clcmd mode but it's not an answer; oh yes, there is the OS security but that wasn't an issue for pre-WebFacing shops and so .... I'm thinking about a j2ee filter on WFLogon pattern, combined with a proxy program that work on prefixed command (someting like CALL+MYPROG+PARM(CMDCODE CMDPARMS ...)... but i hope i'm over estimating the "problem". Had someone already considered this ? Am i too scared the this issue ? thank you
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
